Simple and secure configuration of Win2000

1. System Installation

Under normal circumstances, Internet Information Service (IIS) only needs to select three items:
Internet Service Manager + Word Wide Web Server + public file
Attachments and tools can all be checked (not commonly used), followed by Terminal Services, and all others are checked!

Disk partitioning: under normal circumstances, the C disk is very enough to use 10 Gb, other applications are installed on the d disk, such as the FTP service SERV-U, to avoid System Crash, you need to back up disk C data when you need to completely install the system.

　

2. install hardware drivers

After the drive wheel is installed, the system automatically loads some programs and cleans up the startup items using software such as super rabbit. Other drivers such as the sound card cannot be found. You do not need to install the driver because the sound card is usually unavailable and you do not need to waste time here. If you encounter a graphics card that the system can recognize by default, you do not need to install another driver.

Ii. patch installation

After installing the system, if SP4 has not been installed on the system, install WINDOWS 2000 sp4 first, and then go to Windows Update to Update all patches online. You can also download the patch set (download provided by chinaz.com) to sort the time directly to avoid wasting time. Microsoft's website is sometimes very slow.

Copy necessary software to drive d

For example, you can place a copy of The WIN2K installation directory I386 on the d disk for later use (for example, when you reinstall IIS ).
D disk to create a new SOFT directory, used to store commonly used software, such as PHP, MYSQL, DUM, SERV-U, SQL SERVER and other installation files

Iii. System Security Settings

1. User Management
Delete TsInternetUser, change the name of the Guest user, and change the password!
Change the Administrator user name and password!

2. Do not allow the system to display the user name for the last logon. The specific operation is as follows:
Modify the Registry "HKLMSoftwareMicrosoftWindowsNTCurrent VersionWinlogonDont Display
The key value of Last User Name. Change the key value of REG_SZ to 1.

3. Do not create a null connection.
By default, any user can connect to the server through an empty connection, Enumerate accounts, and guess the password. You can disable it in either of the following ways:
Create an empty connection.
(1) modify the Registry
The value of the Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous is changed to 1.
(2) modify the Local Security Policy of Win 2000
Set RestrictAnonymous in "Local Security Policy> Local Policy> Option" to "not allowed"
Enumeration of SAM Accounts and sharing ".

4. Open Security Review
Management tools-local security policies-Local Policies-audit policies, under normal circumstances, a total of 9 items

Recommended settings:
Audit Policy Change: Failed
Audit Logon event: Successful
Audit Object Access: Failed
Audit privilege usage: Failed
System Event Review: Failed
Audit Directory Service Access: Failed
Audit Account Logon event: Successful
Audit Account Management: Failed
You do not need to open all audit policies, such as successful object access items. Otherwise, excessive system resources will be occupied.

5. IP Security policy configuration.
Download out-of-the-box direct import of policies (detailed configuration methods can be seen in online articles), such as http://afei.blog.chinaz.com/PreviousFile/ OS /2006-1/128918890.rar, after the download, right-click "Administrative Tools"> "Local Security Policy"> "IP Security Policy" and choose "all tasks"> "Import Policy". After the import, the system assigns a new IP Security Policy, right-click the management tool-Local Security Policy-security settings and choose "reload ".

6. disable unnecessary and dangerous system services.

A newly installed windows 2000 server system should have the following services by default and be set to the following status:

Alerter-Disable Application Management-Disable

Automatic Updates-Disabled

Background Intelligent Transfer Service-Disabled

ClipBook-Disabled

COM + Event System-Manual

Computer Browser-Disabled

DHCP Client-Disabled

Distributed File System-Disabled

Distributed Link Tracking Client-automatic

Distributed Link Tracking Server-Disabled

Distributed Transaction Coordinator-automatic

DNS Client-automatic

Event Log-automatic

Fax Service-Disabled

File Replication-Disable

IIS Admin Service-automatic

Indexing Service-Manual

Internet Connection Sharing-Manual

Intersite Messaging disabled

IPSEC Policy Agent-automatic

Kerberos Key Distribution Center-Disabled

License Logging Service-Disabled

Logical Disk Manager-automatic

Logical Disk Manager Administrative Service-Manual

Messenger-Disable

Microsoft Search-disabled (this service appears after SQLSERVER2000 SP3 is installed)

Net Logon-Manual

NetMeeting Remote Desktop Sharing-Manual

Network Connections-automatic

Network DDE-Manual

Network dde dsdm-Manual

Nt lm Security Support Provider-Manual

Performance Logs and Alerts-Manual

Plug and Play automatic

Print Spooler disabled

Protected Storage automatic

QoS RSVP-Manual

Remote Access Auto Connection Manager-Manual

Remote Access Connection Manager-Manual

Remote Procedure Call (RPC)-Automatic

Remote Procedure Call (RPC) Locator-Manual

The Remote Registry Service must be disabled.

Removable Storage-automatic

Routing and Remote Access-Disabled

RunAs Service-Disabled

Security Accounts Manager automatic

Smart Card-Manual

Smart Card Helper-Manual

System Event Notification automatic

Task Scheduler must be disabled.

TCP/IP NetBIOS Helper Service must be disabled

Telephony-Manual

Disable Telnet

Terminal Services-automatic

Uninterruptible Power Supply-Manual

Utility Manager-Manual

Windows Installer-Manual

Windows Management Instrumentation automatic

Windows Management Instrumentation Driver Extensions automatic

Windows Time-Manual

Wireless Configuration-Manual

Workstation Automation

World Wide Web Publishing Service Automatic

As an administrator, you should know what services are used. For example, after someone intrude into the system, you must promptly discover whether services left by some intruders are running.

7. Modify the Registry
　

Delete any keys in the following directory:
HKEY_LOCAL_MACHINESOFTWARE MicrosoftOS/2 Subsystem for NT

Delete the following keys:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerEnvironmentOs2LibPath

Delete the following keys:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystemsOptional
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystemsPosix

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystemsOs2

 

8. Modify the default port of the Terminal Service (this operation is required if necessary. The default port is 3389. You can change it to a port of 1-65535 at will)
Open the registry and go to "HKLMSYSTEMCurrent ControlSetControlTerminal ServerWin Stations ".
Locate a child key similar to the RDP-TCP and modify the PortNumber value.

　

9. Nic port filtering (depending on the specific configuration, you do not need to configure this configuration normally. This configuration must be restarted to take effect)

TCP/IP protocol attribute in Nic attribute ---> advanced --> Option --> TCP/IP filter attribute -->

Item 1: TCP port:
Only allowed: --- (see what services are provided by this server to add)
80 (www Service)
21 (Default ftp)
53 (DNS Service)
110 (SMTP service of MAIL)
25 (MAIL POP3 Service)
Also, for example, the port of your remote terminal (the default value is 3389, or you may change it to another port, for example, 6666, or 6666)
　

Item 2 UDP port:
This option is not added, because after the restriction is reached, the server cannot open webpages or other operations (of course, it is much safer)

The third IP protocol:
IP protocol: only 6
　

10. Start IIS Security Configuration --> program --> management tools --> Internet Service Manager
The default setting is to delete a site called "Default site.
In the IIS manager, right-click the host and enter properties. A Window named "* Machine name properties" is displayed. Select "WWW Service" under the main property to go to the editing page.
Go to the main Directory tab and enter the configuration under application settings. In application ing, You can see Mappings of extensions such as htw, htr, idq, and ida,
Except asp, asa, shtml, sthm, and stm, all others are deleted, because almost every other ing has security vulnerabilities. (This is when cgi and other services are not installed. After cgi is installed, ing will be automatically added here. If there is no ing, the cgi program cannot run. Likewise, php or asp.net)
The default iis publishing directory is c: Inetpub. Delete this directory. Create a directory on drive D or drive E (the directory name is random, such as WWW), create a site, and point the home directory to the directory you created.
The purpose is to separate the site from the system. This prevents system security from being compromised when site security settings fail.

11. Others

TCP/IP protocol properties in Nic properties ---> advanced --> WINS --> select "Disable NetBIOS on TCP/IP"

Delete the two subdirectories of C: WINNTWeb (one is the desktop image directory and the other is the print directory. If the print directory exists, it seems that the default site of IIS will always have one more Printer directory)

 

Iv. System-related directory and file permission settings

C, D, E, and other disks are all set to only the Administrator group with full control permissions (required)

C: Program Files
This directory, such as connecting to the database, is to be read and is an important permission setting in disk C.

Set